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Abstract. The security of the Bitcoin cryptocurrency system depends 
on the Koblitz curve secp256k1 combined with the digital signature 
ECDSA and the hash function SHA-256. In this paper, we show that 
the security of Bitcoin with ECDSA and secp256k1 is not optimal and 
present a detailed study of the efficiency of Bitcoin with the digital sig- 
nature algorithm Ed25519 combined with the twisted Edwards curve 
CurveEd25519 and the hash function SHA-512. We show that Bitcoin 
is more secure and more efficient with the digital signature algorithm 
Ed25519 and the twisted Edwards curve CurveEd25519. 

Subject Classifications: 94A60 


Keywords: Cryptography - cryptocurrency - Bitcoin - Security - Twisted 
Edwards curves - Signature 


1 Introduction 


The progress of the new technology of information is changing the way of our in- 
dividual transfer cash, from paper to digital cash or electronic money (e-money). 
Electronic money is a substitute for cash. It is stored in electronic devices on 
remote servers. The use of e-money is highly encouraged in several countries and 
aims to create new, safe and practical development services. The transactions are 
becoming easier and cheaper, online payments and operations on our accounts 
are possible at anytime and anywhere. Meanwhile, the security of electronic sys- 
tems becomes a serious concern. The amount of frauds, the attacks launched 
by various hackers, the problems of confidentiality and authentication, are of 
great danger for electronic systems. To overcome these problems, cryptography 
offers many solutions. Cryptography is used to secure e-commerce, the cloud, 
internet communications, and to protect sensitive banking, military information 
and information systems. 

Another important application of cryptography is to secure Bitcoin system. 
Bitcoin is a peer-to-peer network without any central authority such as banks or 
governments. It was presented in 2008 by Satoshi Nakomoto [26] and launched in 
2009. To authorize payments or transfers, Bitcoin uses the Elliptic Curve Digital 
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Signature Algorithm (ECDSA) [T7] with the hash function SHA-256 [18], and 
the Koblitz curve secp256k1 with the equation 


secp256k1 : y2=a°+7 (mod pi), pı = 275° 292-29 — 28 97 96 941 


The Koblitz curve secp256k1 was proposed in 2000 by the Standards for Effi- 
cient Cryptography Group of Certicom in the standards for efficient cryptogra- 
phy SEC2 [10] and used in the Bitcoin system since 2009. The Koblitz curve 
secp256k1 seems having many advantages when used in industrial applications, 
especially efficiency, security and shortness of the key. 

In this paper, we study the possibility of using the digital signature Ed25519 [4] 
based on the twisted Edwards curve CurveEd25519 with the equation 


121665 > » 
121666" 


CurveEd25519 : —a? +y? =1 (mod po), po = 225 — 19, 


to secure Bitcoin instead of ECDSA with the Koblitz curve secp256k1. We com- 
pare the security and the efficiency of operations on the curves secp256k1 and 
CurveEd25519, and then the security and the efficiency of the digital signatures 
ECDSA with secp256k1 and SHA-256 and Ed25519 with CurveEd25519 and 
SHA-512. 


Our comparison of the security of secp256k1 and CurveEd25519 is based on 
the study of the resistance of both curves to the attacks on the elliptic curve dis- 
crete logarithm ECDLP. Our study shows that secp256k1 presents some vulner- 
abilities to the complex-multiplication field discriminant as well as to Pollard’s 
rho attack while CurveEd25519 is safe. 


Similarly, we study the efficiency of the arithmetical operations on the curves 
secp256k1 and CurveEd25519 over their finite fields. We compare the cost of 
adding two points or doubling a point on both curves. We find that the arithmetic 
of the twisted Edwards curve CurveEd25519 is more efficient than the arithmetic 
of the Koblitz curve secp256k1. 


Moreover, the digital signature Ed25519 uses the hash function SHA-512 
which presents more security and is more sustainable than the hash function 
SHA-256 used in ECDSA for the Bitcoin system. 


The former comparison suggests that the digital signature Ed25519 is more 
suitable for use in the Bitcoin system than ECDSA. 


The rest of this paper is organized as follows. In Section 2, we recall some facts 
on Bitcoin, secp256k1, CurveEd25519, and Ed25519. In Section 3, we study and 
compare the resistance of secp256k1, CurveEd25519 to cryptanalytical attacks 
on the elliptic curve logarithm problem ECDLP. In Section 4, we study the 
efficiency of the arithmetic operations on the curve CurveEd25519. In section 5, 
we resume the comparison of the digital signatures ECDSA and Ed25519. We 
conclude the paper in Section 6. 
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2 Preliminaries 


2.1 Description of Bitcoin 


Bitcoin is a digital currency and a peer-to-peer payment system developed by 
an anonymous individual or group with the pseudonym Satoshi Nakamoto [26] 
in 2008. Bitcoin users communicate with each other using a secure collection 
of open source technologies. As a peer-to-peer system, there is no central au- 
thority or central server. A public distributed ledger blockchain is available to 
everyone, where the verified transaction is registered, the verification is done on 
network nodes. Bitcoins are created by a process called mining, and any partici- 
pant in the bitcoin network may operate as a miner depending on its computer’s 
ability to process operations on bitcoins. The transfer of bitcoins between users 
requires to use cryptographic algorithms to prove ownership of the bitcoins be- 
ing transferred. The Bitcoin network security is based on the digital signature 
scheme known as the Elliptic Curve Digital Signature Algorithm (ECDSA) with 
the Koblitz curve secp256k1 to verify ownership transactions on the network, 
combined with the hash function SHA-256. 


2.2 Description of the Koblitz curve secp256k1 


In Bitcoin system, the Elliptic Curve Digital Signature Algorithm (ECDSA) 
is used to verify bitcoin transactions. ECDSA is an adaptation of the Digital 
Signature Algorithm (DSA) using a Koblitz elliptic curve [I7]. The elliptic curve 
used for ECDSA in Bitcoin system is the elliptic curve secp256k1, defined by 
the Standards for Efficient Cryptography Group (SECG) [I0], with the following 
parameters: 


e the prime number: p = 2256 — 232 — 29 — 28 — 27 — 96 — 24 — 1, 

e the equation: y2=22+7 (mod p), 

e the base point: P = (550662630222773436695787 18895 168534326250603453 
777594175500187360389116729240, 
3267051002075881697808308513050704318447127338065924 
3275938904335757337482424), 

e the order n of P: n = 2°56 — 432420386565659656852420866394968145599. 


Adjoining the point at infinity ©, the curve secp256k1 has n solutions. This 
curve is also used as standard by other blockchain systems such as Ethereum 
and Zcash. 


2.3 Description of ECDSA 


For Bitcoin system, ECDSA is based on the Koblitz curve secp256k1 and on 
the cryptographic hash function SHA-256. The implementation of ECDSA in 
Bitcoin system is composed by three algorithms, key generation, signing and 
verification. 
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1. ECDSA Key generation algorithm. 
e Choose a random integer d € [1,n — 1]. 
e Compute Q = (tg, yQ) = dP on the curve secp256k1. 
e The public key is Q and the private key is d. 
2. ECDSA Signing. Given a message m to be signed, the private key d and 
a hash function H, 
e Choose a random integer k € [1,n — 1]. 
e Compute G = (za, ya) = kP on the curve secp256k1. 
e Compute r = ra (mod n). If r = 0, choose another k and recompute G 
and r. 
e Compute s = k~!(H(m) + dr) (mod n). 
e The signature is the pair (r, s). 
3. ECDSA Verification. Given a signature (r,s) and a hash function A, 
e Compute w = s~! (mod n). 
e Compute u = wH(m) (mod n) and uz = wr (mod n). 
e Compute (29, Yo) = u1P + u2Q on the curve secp256k1. 
e Accept the signature if zo =r (mod n). 


2.4 Description of the twisted Edwards Curve CurveEd25519 


In 2007, Edwards [I4], introduced a new normal form for elliptic curves. In a 
series of papers, Bernstein et al. [314] generalized the Edwards form to twisted 
Edwards curves with the equation 


ax? + y? =1+4+ dx*y*, a £ d, ad £0, 


with a unique formula for both addition and doubling laws. Indeed, the sum of 
two points (#1, y1) and (x2, y2) on a twisted Edwards curve is : 
( T1Y2 + YiX2 Yiy2 — aX XQ 

1+ driT2y1y2" 1 — dx, x2y1y2 


(11,41) + (£2, Y2) = 


The point (0,1) is the neutral element of the addition law, and the inverse of a 
point (x1,y1) on E is simply (—21, y1). 

In 2009, Bernstein [5] proposed Curve25519 to speed the computation of the 
Diffie-Hellman key exchange. Curve25519 is a Montgomery elliptic curve at the 
128-bit security level with the equation 


Curve25519 : v? = u + 486662u? +u (mod p), p = 2255 — 19. 


The security of the curve Curve25519 was studied by Bernstein in [5] who con- 
cluded that the arithmetic of this curve is fast and the security is optimal. Using 
a birational equivalence, Curve25519 can be represented in a twisted Edwards 
form. Let Bv? = u’ + Au? + u be the equation of a Montgomery elliptic curve. 
For v(u + 1) 4 0, define 


xt yetc! _ A? _ A-2 
v’ Taree B E i 
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Then aX? + Y? = 1 + dX?Y? represents the equation of a twisted Edwards 
curve. For A = 486662 and B = 1 as in Curve25519, we get the following 
equation 486664X? + Y? = 1 + 486660X?Y?, or equivalently 


486660 


—(-4 4)X? +Y? =1-— 
me ST 486664 


(—486664)X?Y?. 


Since —486664 is a square in F,, then —486664 = s? (mod p) with 


s =51042569399160536130206135233146329284152202253034631822681 
833788666877215207. 


Hence, the former equation can be rewritten as 


_ 486660 


—(sX)? +Y? =1— ——_ 
(AJ t 486664 


(sX)?X?. 
Using the birational transformation (x, y) = (sX,Y), the equation can be rewrit- 
ten as the equation of the curve CurveEd25519: 


486660 
na 


Ed25519 : —x? + y? = 1 — : 1 
CurveEd25519 : —a* + y 286664 © Ÿ (1) 


This is the equation of the twisted Edwards curve used in [6] to construct the 
digital signature Ed25519. The corresponding parameters are as follows. 


e the prime number: p = 22%5 — 19, 

e the equation: CurveEd25519 : =z? + y? = 1 — 121665 ry? (mod p), 

e the base point: B = (151122213495354007725011514095885315114540126930 
41857206046113283949847762202, 
46316835694926478169428394003475163141307993866256225 
615783033603165251855960), 


e the order n of B: n = 27°? + 27742317777372353535851937790883648493. 


2.5 Description of the Digital Signature Ed25519 


In 2011, Bernstein et al. [6] proposed the digital signature scheme Ed25519, an 
instance of the Elliptic Curve signature scheme EdDSA. The arithmetical oper- 
ations of Ed25519 are based on the fast twisted Edwards curve CurveEd25519 
with the equation (1) modulo p = 2255 — 19. The digital signature Ed25519 uses 
several domain parameters: 


Finite field F, with p = 2255 — 19 and bit-size b = 256. 

Twisted Edwards curve with the equation (i). 

Base point B given in(|2.4) with order n. 

Hash function H that produces a 2b-bits output such as SHA-512. 


Ed25519 consists in applying three algorithms to generate the public and the 
private keys, to sign a message m and to verify the signature. 
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1. Ed25519 Key generation algorithm. 
e Choose a random integer k € [1,n — 1]. 
e Compute H(k) = (ho, h1,...,hap-1) in binary representation. 
e Compute the integer a = 2°-2 + ae 2hi. 
e Compute the public key À = aB on the curve CurveEd25519. 
2. Ed25519 Signing. Given a message m to be signed and a hash function H, 
e Compute r = H(hy,...,ha,-1,m) as an integer modulo n. 
e Compute R = rB on the curve CurveEd25519. 
e Compute h = H(R, A, M) as an integer. 
e Compute s = (r + ha) (mod n). 
e The signature is the pair (R, s). 
3. Ed25519 Verification. Given a signature (R, s) and a hash function H, 
e Compute h = H(R, A, M) as an integer. 
e Compute U = 8sB on the curve CurveEd25519. 
e Compute V = 8R +8hA on the curve CurveEd25519. 
e Accept the signature if U = V. 


3 Resistance of secp256k1 and CurveEd25519 to 
cryptanalytical attacks 


The Koblitz curve secp256k1 is defined by the equation 


secp256k1 : y2=a3+7 (mod pi), pi = 26 — 282 — 29 — 28 —27 — 26 —24 —1. 
The order of its base point and the order of the curve secp256k1 are 


ny = 27% — 432420386565659656852420866394968145599, 
#secp256k1(Fp,) =m. 


The twisted Edwards curve CurveEd25519 is defined by the equation 


_ 121665 » 
121666 


The order of its base point and the order of the curve CurveEd25519 are 


CurveEd25519 : —x? +y?=1 (mod po), pz = 2255 — 19. 


no = 2?°? + 27742317777372353535851937790883648493, 
#CurveEd25519(F,,) = 8n2. 


The security of elliptic curve cryptosystems is based on the computational in- 
tractability of the Elliptic Curve Discrete Logarithm Problem(ECDLP): Given 
an elliptic curve E and two points P and Q on E such that Q = kP, find k. The 
hardness of the ECDLP depends on certain properties of the elliptic curve E and 
the base point P € E(F,). In the rest of this section, we give a detailed study 
of resistance of the Koblitz curve secp256k1 and the twisted Edwards Curve 
CurveEd25519 to various cryptanalytic attacks. 
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3.1 Complex-multiplication field discriminants 


If E is an elliptic curve over a finite field Fp, then the number of rational point is 
#E(F,) = p +1—t where t is the trace of the Frobenius endomorphism, which 
by Hasse’s Theorem satisfies —2,/p < t < 2,/p. Then t? — 4p < 0 and we can 
write 

t? — 4p = —s" 4d, 
where d is square-free. Then s is the largest integer such that s? divides t? — 


4p. The complex-multiplication field discriminant of the elliptic curve Æ is the 
integer D with 


(mod 4). 


The complex-multiplication field discriminant D is considered as a security pa- 
rameter by the standard Brainpool [13] and by the SafeCurves web page [9]. It 
is required that |D| should be large, typically [D] > 21°°. 

For the curve secp256k1, we have 


tı = pi + 1 — #secp256k1 (Fp, ) = 432420386565659656852420866390673177327, 
and 
t? — 4p, = —(79 - 349 - 2698097 - 1359580455984873519493666411)? - 3. 


It follows that the complex-multiplication field discriminant is D; = —3 which 
is much smaller than the required lower bound 210. 

The twisted Edwards curve CurveEd25519 is birrationally equivalente to the 
Montgomery curve with the equation 


Curve25519 : v? = u? + 486662u2 +u (mod p2), pa = 2° — 19. 
For Curve25519, we have 
t2 = pot+1—#Curve25519(F,,) = —221938542218978828286815502327069187962, 


and 


tÈ — 4p = — 2* - 16451 - 8312956054562778877481 
- 83326725728999296701078628838522133333655224556987. 


2 
Then, the complex-multiplication field discriminant is Də = ltt] and sat- 


isfies |D2| > 2754 which is much larger than the required bound 2100, 

As a consequence of the former study, the curve CurveEd25519 is much 
stronger than the curve secp256k1 to the complex-multiplication field discrimi- 
nant criterion. 
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3.2 Pohlig-Hellman attack 


The Pohlig-Hellman algorithm [28] is an algorithm devoted to solve the discrete 
logarithm problem on finite fields or elliptic curves. For an elliptic curve with 
base point P of order n, the attack reduces the problem of finding the discrete 
logarithm k satisfying Q = kP first in recovering k modulo each of the prime 
factors of the order n of P, and second in applying the Chinese Remainder 
Theorem to recover k entirely modulo n. The expected running time of Pohlig- 


Hellman algorithm is O (vw) where n’ is the largest prime factor of n. In 


order to maximize resistance to the Pohlig-Hellman attack, the elliptic curve 
parameters should be selected so that the order n of the base point P is divisible 
by a large prime. For the curves secp256k1 and CurveEd25519, the orders nı 
and nz of the base points are prime numbers. This increase the resistance of 
both curves to the Pohlig-Hellman attack. 


3.3 Pollard’s rho attack 


This algorithm was presented by Pollard [29] in 1978 to attack the discrete 
logarithm problem in finite fields. Since then, it was adapted to attack the el- 
liptic curve discrete logarithm problem. The main idea behind Pollard’s rho 
algorithm is to find distinct pairs (u,v) and (u’,v’) of integers such that uP + 
vQ = u'P + v'Q from which we deduce k = (v' — v)(u—u’)~' (mod n) when 
gcd(n, u — u’) = 1. Such an occurrence is called a collision and can be applied 
to the curves secp256k1 and CurveEd25519 since the order of their base points 
is a prime number in both cases. The expected number of iterations before a 
collision is obtained is approximately O (VÆ [20] and requires approximately 
O (\/) amount of storage. For the curve secp256k1, we have \/™! ~ 2128, 
and for CurveEd25519, we have /72 ~ 217°. Hence, both curves have high 
level bit-security and seem resistant to Pollard’s rho method. However, the curve 
secp256k1 has j-invariant 0 and has specific properties such as efficient computa- 
tion of endomorphisms of certain multiples of points. This can be turned out toa 
vulnerability by speeding Pollard’s rho algorithm (see [2] for more details and dis- 
cussions). For the curve CurveEd25519, via the Montgomery curve Curve25519, 
the j-invariant is not 0 so that the speed up of Pollard’s rho algorithm is not 
possible. 

Summarising the former comparison, the curve secp256k1 is more sensitive 
to Pollard’s rho algorithm than the curve CurveEd25519. 


3.4 Anomalous attack 


An elliptic curve E over a prime field F, is anomalous if #E(F,) = p. For 
anomalous curves, the group E(F,) is cyclic since it has prime order, and hence 
E(F,) is isomorphic to the additive group Ft of integers modulo p. Semaev [33], 
Smart [35], and Satoh and Araki[31] independently proposed an efficient attack 
for the ECDLP in the anomalous case which reduces the ECDLP in an elliptic 
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curve to addition in the additive group Ft by a lifting modulo p?. The curves 
secp256k1 and CurveEd25519 are resistant to the anomalous attack since the 
prime moduli p1, p2 are different from the number of points of both curves, 
more specifically, #secp256k1(F,,) = nı # pi, and #CurveEd25519(F,,) = 
8n2 £ P2. 


3.5 The Frey-Rück attack 


Frey and Rück [T9] described a method based on the Tate-Lichtenbaum pairing to 
reduce ECDLP on the elliptic curve E over F, to the discrete logarithm problem 
into the multiplicative group Foe for some extension of the base field Fp. For k < 
30, the index calculus method can solve the DLP in subexponential time in the 
multiplicative group Foe In general, the embedding degree is usually enormous, 
and the criterion to avoid the attack is that the order n of the base point of the 
elliptic curve satisfies n| (p* — 1) only for large values of k. The curves secp256k1 
and CurveEd25519 are such that nı / (pł —1) and no / (p5 — 1) for k < 10°. 
As a consequence, both curves are resistant to the Frey-Rück attack. 


3.6 MOV supersingular attack 


An elliptic curve E over a finite field F, is called supersingular if #E(F,) = 
p+ 1. Menezes, Okamoto and Vanstone [24] described how the Weil pairing 
can be used to reduce ECDLP on the elliptic curve Æ over Fp to the discrete 
logarithm problem into the multiplicative group F*, for k < 6, where the index 
calculus method can solve the DLP in subexponential time. This implies that 
supersingular elliptic curves are too weak to be used in cryptography. The curves 
secp256k1 and CurveEd25519 are not supersingular since #secp256k1(F,,) = 
nı Æ pı + 1, and #CurveEd25519(F,.,) = 8n2 # po + 1. As a consequence, both 
curves are resistant to the MOV supersingular attack. 


3.7 Comparison of the security 


The following table [I] resumes the former cryptanalytical study. 
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Attack Attack Resistance Resistance 
condition of secp256k1 lof CurveEd25519 
CM field discriminants [D| > 210 [Di] < 2? [De] > 2254 
Pohlig-Hellman n with small factors nı is prime ng is prime 
Pollard’s rho small ,/5 nı > 2755 is largelno > 2?°4 is large 
j-invariant j= j=0 340 
Anomalous n = p nı £ pı n2 # p2 
Frey-Rück n|(pf — 1) for k < 30] nı K —1) no MP8 — 1) 
MOV n=p+l ny £pi+l n2 Æ pə +1 


Table 1: Resistance of secp256k1 and CurveEd25519 to cryptanalytical attacks 


Table [I]shows that the CurveEd25519 is more resistant than the curve secp256k1 
to at least two attacks. As a consequence, the CurveEd25519 can be used for 
industrial applications, such as in a Bitcoin system. 


4 Comparison of the Efficiency of secp256k1 and 
CurveEd25519 


In this section, we give a comparison of the efficiency of the arithmetical opera- 
tions of the curves secp256k1 and CurveEd25519. 


4.1 Efficiency of CurveEd25519 


CurveEd25519 is a particular case of the a twisted Edwards curve Fa,a defined 
over the finite field F, by the equation 


Eaa: az? +y =1+dx°y", a £ d,ad £0. 


In [21], Hisil et al. presented a technique to perform operations on E4.4 based on 
the representation of a point P = (x,y) by the quadruple (X : Y : T : Z) where 
g= ž, y= x, Ty = T, and Z Æ 0. With this notation, the twisted Edwards 
curve equation transforms into an extended one, namely 


Eg q: (aX?+Y?) Z? = Zt + dT’, a £ d,ad #0. 


The negative of a point (X : Y : Z : T) € E$ , is the point (-X : Y : -T : Z) 
and the point at infinity O is represented by (0 :1:0:1). 

When a = —1 as in CurveEd25519, the addition of two distinct points (X; : 
Yi: Tı : Zi) and (X2 : Yo : To : Z2) can be performed with the following 
operations 
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A= (Yi — Xi) - Y2 + X2), 
E=D+C, B 
X= E-F, wad. 


=(¥,+ X)-(%— X2), C = 27, D, D = 27) - Z, 
G=B+A, H=D-C, 
T3 = E.H, Z3=F.G. 


Table 2: Addition in CurveEd25519 


The computational cost of the addition on E*, q is then eight multiplications 
(8M), two doublings (2D), and eight additions (8Add) in the field F,. This be 
reduced to 7M + 2D + 7Add when Z = 1. 

Similarly, for a = —1 as in CurveEd25519, the doubling of a point (X; : Yı : 


Tı : Z4) can be performed with the following operations 


A= x), B=7,, C=227, D==A, 
E=(X,+Y,)?-A-B,G=D+B,F=G-—C,H=D-B, 
X3=E.F, ¥,=G-H, T3=E-H, Z,=F-G. 


Table 3: Doubling in CurveEd25519 


The computational cost of the doubling on E€, g is then four multiplications 
(4M), four squarings (4S), one doubling (1D) and six addition (6Add) in the 
field F,. This can be reduced to 3M + 45 + 1D + 6Add by performing a parallel 
doubling process (see [21], Section 4.4). There are other ways to perform addition 
and doubling on twisted Edwards curves as shown in [6]. The advantage of the 
methods presented above do not use the curve parameter d as input. 


4.2 Efficiency of secp256k1 


The Koblitz curve secp256k1 with the equation y? = x? + 7 (mod p1) belongs 
to the family of curves with a short Weierstrass equation of the form y? = 
x? + ax +b. Any point (x,y) on this curve can be represented by the projective 
point (X: Y : Z) with x = % and y = % for Z # 0 and (0: 1 : 0) for the 
point at infinity. Then, the Weierstrass equation transforms to the projective 
one Y? Z = X? +aX Z? +bZ?. The addition law in the projective case has many 


forms. To compute the sum 
(Xi: Yi: Z) + (Xo: Yo: Z2) = (X; : Yz : Zs), 


the following formula for addition has an optimal efficiency (see [7], The “add- 
1998-cmo-2” addition formulas). 
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Z1Z1 = Z, Z222 = Ze, U1 = X1 Z222, 
= X: Z1Z1, S1 = Y; + Z2 Z222, S2 = Y - Zı - Z1Z1, 
H=U2-Ul1, HH = H?, HHH =H- HH, 
r = 82 — S1, V=U1.HE, 

X; =r? — HHH — 2V, Ys =r- (V —X3)—S1-HHH, Z; = Z1 - Z2. H. 


Table 4: Point addition in secp256k1 


The computational cost of the point addition on secp256k1 is then twelve mul- 
tiplications (12M), four squarings (45), one doubling (1D) and six additions 
(6Add) in the field F,,,. 

To compute the double point 2(X1 : Yı : Z1) = (Xs : Y; : Z3), the follow- 
ing formula has an optimal efficiency (see [7], The “dbl-1998-cmo-2” doubling 
formulas). 


XX = XZ, YY = Y7, ZZ = Zi, 
S=4X,-YY,M =3XX +a-ZZ?, T=M?-2.-S, 
X; =T, Yz = M - (S — T) — 8YY?, Z3 =2Y1- Z1. 


Table 5: Point doubling in secp256k1 


The computational cost of the point doubling on secp256k1 is then three mul- 
tiplications (3M), six squarings (6), eight doubling (8D) and five additions 
(5Add) in the field F,,,. 

The following table [6] gives the cost of the point addition and point doubling 
on the curves secp256k1 and CurveEd25519 in terms of the field arithmetic 
multiplication (M), squaring (S), doubling (D) and addition (Add). 


Curve Addition Doubling 
secp256k1 12M +45 + 1D + 6Add|3M +65 + 8D + 5Add 
CurveEd25519|7M + 2D + 7Add 3M +45 + 1D +6Add 


Table 6: Arithmetic comparison of secp256k1 and CurveEd25519 


In [6] There are various ways to speed up the computation on F,,, so the 
arithmetic operations are efficient and speed in this field. For more detail see 


section [5.2] 
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Table [6] shows that the operations on CurveEd25519 are faster than the 
operations on secp256k1. Other forms of elliptic exist with explicit formula for 
the cost of the addition or doubling of points [8]30}. In all cases, the operation on 
Edwards curves are the fastest comparing to the other forms. As a consequence, 
for efficiency reasons, it is more convenient to use the curve CurveEd25519 for 
industrial applications such as in a Bitcoin system. 


5 Comparison of the digital signatures ECDSA and 
Ed25519 


In this section, we show that the digital signature Ed25519 based on the curve 
CurveEd25519 is more suitable for the Bitcoin system than the digital signature 
ECDSA which is used in practice. 


5.1 The elliptic curves 


The elliptic digital signature algorithm ECDSA is based on the Koblitz ellip- 
tic curve secp256k1 while the digital signature Ed25519 is based on the twisted 
Edwards curve CurveEd25519. In the past sections, we have showed that the 
curve secp256k1 is more vulnerable to Pollard’s rho attack while the curve 
CurveEd25519 is safe. Moreover, as discussed in [2], secp256k1 is more vul- 
nerable to specific attacks based on some of its twists. More vulnerabilities of 
secp256k1 are listed in [23]. As a consequence, CurveEd25519 is more secure 
than secp256k1 for industrial applications, especially for Bitcoin. 


5.2 The finite fields 


ECDSA uses the Koblitz elliptic curve secp256k1 over the finite field Fp, where 
pa = 2756 — 232 — 29 — 28 — 27 — 26 —24— 1. The digital signature Ed25519 uses the 
twisted Edwards curve CurveEd25519 over the field Fp, where pz = 2255 _ 19. 
There are various ways to speed up the computation on F,,,. In [6], any integer 
a modulo pə is represented in base 2°! as 


a = ao + Da, +2102 a5 + 2153 a5 + 220404, dj € {0, eee 251 _ 1} : 


This representation is then performed to process the multiplication and squaring 
in an efficient way to fit an 128-bit serial multiplier. Moreover, in [6], any integer 
b modulo py is represented in base 2255 using the sequence 2125-51 for à =0,...,9 
as 


b =bo + 278b, + 251b + 27% bg + 2102p, + 2778, + 9158, + 2779 b+ 
Yaa + 22305, bi € {—2”, bis a) | 
This representation is efficient in processing the multiplication and squaring on a 
64-bit serial multiplier. As a consequence, the arithmetic operations are efficient 


in the field F,,. This makes Ed25519 a good candidate for industrial applications, 
especially for Bitcoin. 
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5.3 The hash functions 


In Bitcoin, the Koblitz curve secp256k1 is combined with the hash function SHA- 
256 in the ECDSA signature process. In a similar way, the digital signature 
Ed25519 combines the curve CurveEd25519 with the hash function SHA-512. 
SHA-256 and SHA-512 are parts of the SHA2 family, standardized in 2001 by 
the National Institute of Standards and Technology (NIST) [I8]. The SHA-2 
family will remain deployed in the future even in the presence of SHA3. SHA-256 
and SHA-512 are closely related since they use very similar algorithms, based on 
the same byte operations. They differ only in the input bit lengths and produce 
outputs of lengths of 256 bits and 512 bits respectively. Nevertheless, SHA-256 
and SHA-512 differs at the security level. SHA-512 is more secure than SHA- 
256 and is recommended by various cryptographic standards such as NIST [27], 
ENISA [I5] and BlueKrypt [I] for use for more sensible data and for longest 
terms. This is an advantage for the digital signature Ed25519 over the digital 
signature ECDSA for long terms. 


6 Conclusion 


We have studied and compared the digital signature ECDSA with the Koblitz 
elliptic curve secp256k1 and the digital signature Ed25519 based on the twisted 
Edwards curve CurveEd25519 for use in Bitcoin. Our analysis of the security 
shows that the curve CurveEd25519 is more secure than secp256k1, especially 
against Pollard’s rho attack on the elliptic discrete logarithm problem. Moreover, 
our study of the efficiency and implementation shows that Ed25519 is more effi- 
cient. We conclude that Ed25519 is more suitable for use in the Bitcoin system, 
especially for long term applications. 
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